According to Microsoft VP Dean Hachamovitch, after the Safari Google cookies snafu hit, the Internet Explorer team discovered that Google was "employing similar methods to get around the default privacy protections in IE and track IE users with cookies" too. Microsoft has found that Google bypasses the P3P Privacy Protection feature in IE to track users. Google is breaking the rules, specifically:

Google utilises a nuance in the P3P specification that has the effect of bypassing user preferences about cookies. The P3P specification (in an attempt to leave room for future advances in privacy policies) states that browsers should ignore any undefined policies they encounter. Google sends a P3P policy that fails to inform the browser about Google's use of cookies and user information. Google's P3P policy is actually a statement that it is not a P3P policy. It's intended for humans to read even though P3P policies are designed for browsers to "read"

Basically, Google wrongfully bypasses the protection and enables its cookies to be allowed rather than blocked. Thus allowing Google to track the browsing habits of Internet Explorer users. In the mean time, Microsoft has made a Tracking Protection List to protect IE9 users from Google. The list can be found here. [IE Blog]

Wow, way to exaggerate it to ridiculous proportions, are you sure you're not one of the journalists on this site?

1. Google have now disabled the "problem" code
2. They have already said it was just cookies ie DIDN'T COLLECT PERSONAL INFORMATION
3. It's designed to show whether someone using other browsers is signed into Google's services (ie their google account), you are giving no more information to them than you would have by using your Google account in Chrome.

This is clearly a case where they've shortcutted their code to be able to track Google ecosystem use in other browsers, quit blowing it out of proportion.

It now emerges that Facebook has done exactly the same thing (a Microsoft Partner no less) using the exact same "exploit", furthermore this "exploit" was marked for Microsoft Attention back in 2010.

Quit bitching at Google, there was a way to do what they needed to do and they did it, same as facebook and no doubt a lot more. If anyone's to blame it's Microsoft for not patching their browser, it's worth pointing out this weakness was patched in the webkit code by Google so Apple's safari fix as implemented by Google.

Ok reading the IE9 blog post and the Google policy it mentions inside the P3P header here: http://support.google.com/accounts/bin/answer.py?hl=en&answer=151657 , it sounds like P3P is a flawed system as any site can just say "hey, I won't do anything bad with this data, I promise!", and the browser just accepts that without any verification.

A lot of Google's services couldn't function the way they currently do without those cookies, and as it's not really even a security system acting like it is is a problem.

The only solution to tracking cookies is to develop a system that doesn't need them. I'd go for something similar to Facebook's application API where each app has to specifically request what data it wants access to, then the user needs to allow that before the data can have it.
That way you could, for example, say 'disallow cookies from containing my URL' or 'make this cookie expire after 5 minutes'.

You don't have to be using either IE (firefox does or at least did support it and other browsers probably do too - not because it's useful, but because it's another "standards compliant" checkbox people seem so keen on benchmarking) or any Google sites letalone an account (it's their ads, not Google sites) for this to "matter".

Microsoft has been fully aware of this problem for years. A report published in 2010 detailed how P3P privacy policies were being misrepresented in this exact way.

It's now 2012 and until the highlighting of Google doing this, Microsoft cared little enough to do anything about it. Why did they do nothing about it? Listing a few sites that were doing the same thing will give you a good idea:

Windows.com
Live.com
MSN.com

This seems like an ugly smear campaign more than anything else.

You can read the report yourself here: http://www.cylab.cmu.edu/files/pdfs/tech_reports/CMUCyLab10014.pdf

Only logged in users may vote for comments!

Get Permalink

Trending Stories Right Now

TPG currently stands as the second largest internet service provider (ISP) in Australia, and is a force to be reckoned with in the telecommunications industry. Its rapid growth is mainly attributed to strategic acquisitions it has made in recent years. One of those acquisitions was iiNet, an ISP that boasted high customer satisfaction and respect in the community.
A year after TPG bought iiNet, the situation looks bleak for the ISP that was once the darling of the telco industry. Most recently, iiNet's Sydney office was shut down, most of its staff made redundant. We spoke to one former iiNet employee to get the insider story on the aftermath of the TPG acquisition. We also spoke with iiNet, to get its side of the story.

Consider the humble light globe. It hides in your ceiling, turning electricity into light, but little do you know how inefficiently it's doing that. Halogen light bulbs aren't great, but traditional incandescents are downright terrible. Ikea says that the average Aussie household could save nearly $150 a year by switching its lighting to LEDs.